Recent research from Kaspersky has discovered DinodasRAT, a Linux variant of a multi-platform trojan that targets China, Taiwan, Turkey, and Uzbekistan, in the wild.

DinodasRAT, alternatively referred to as XDealer, is malicious software written in C++ that exploits compromised hosts in order to acquire an extensive assortment of sensitive data.

Slovak cybersecurity firm ESET disclosed in October 2023 that a governmental organization in Guyana had been the target of Operation Jacana, a cyber espionage campaign designed to distribute the Windows variant of the implant.

Clipboard Hijacking and User Password Leaks May Result from a New Linux Bug

Then, last week, Trend Micro provided information regarding a threat activity cluster it monitors as Earth Krahang, which has been employing DinodasRAT in its assaults against multiple government entities worldwide since 2023.

Multiple China-nexus threat actors, including LuoYu, have been linked to the use of DinodasRAT, once again demonstrating the prevalence of tool sharing among cyber crews designated as acting on behalf of the country.

Kaspersky identified a Linux variant of the malware (V10) in early October 2023. The available evidence indicates that the earliest documented variant (V7) originated in 2021.

It primarily targets Ubuntu Linux and Red Hat-based distributions. Using SystemV or SystemD initialization scripts, it establishes persistence on the host and periodically communicates with a remote server via TCP or UDP to retrieve the commands for execution.

The disclosure of Bitcoin wallet balances by Google ignites a privacy controversy.

DinodasRAT possesses the capability to execute shell commands, modify command-and-control (C2) addresses, enumerate and terminate active processes, acquire a new version of the backdoor, and conduct file operations and uninstallation.

In addition to employing diagnostic and monitoring tools to prevent detection, this application, similar to its Windows variant, encrypts C2 communications using the Tiny Encryption Algorithm (TEA).

“DinodasRAT’s primary use case is to gain and maintain access via Linux servers rather than reconnaissance,” Kaspersky indicated. “The backdoor is fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage.”

source